Free Resources for Incident Response Professionals
To help make your tough job a bit easier.
Analyst Reference
More than a cheat sheet, less than a book, these are primers and references for some of the core topics incident responders need to understand.
Lateral Movement Analyst Reference
Adversaries move from system to system once they compromise a network. Learn to detect lateral movement within your environment.
Event Log Analyst Reference
Windows Event Logs store an increasingly rich set of data. This reference walks you through configuring, storing and analyzing Windows events.
Memory Analysis with Volatility Analyst Reference
The battle for our boxes is increasingly being fought in RAM. Learn to use Volatility to hunt for evil on your systems.
Credential Defense Analyst Reference
Most attackers use credential theft as a key tactic. This document presents key defensive controls to make your environment a harder target.
Quick Reference
These are short cheat sheets that you can use to keep syntax and key facts close at hand.
Default Windows Processes Quick Reference
Quick Reference on normal system processes on a Windows system, including their executable’s path on disk, the usual process tree, and descriptions of each process.
WMIC Quick Reference
Windows Management Instrumentation Command-line utility is a great resource for incident responders. This quick reference will help you with examples and syntax.
PowerShell Quick Reference
A quick reference for exploring the immense value of PowerShell for incident response, including basic syntax and useful cmdlets.
Presentations
PDFs of the slides from some of our public talks.
Pass the What Now? Understanding Credential Attacks in a Windows 11 World
Review pass-the-hash, pass-the-ticket, and other classic attacks. Then look at Microsoft’s Modern Authentication, attacks against it, and how it relates to your environment.
The Light Side of the Force: PowerShell for Incident Response
A high-level look at how PowerShell and PowerShell Remoting can benefit incident responders and network defenders using built-in capabilities.
Pivot and Pillage: Lateral Movement within a Victim Network
This presentation accompanies our Lateral Movement Analyst Reference PDF to highlight ways to detect and defeat hidden adversaries.
BYOD or Bring Your Own Destruction
Examine the assumptions that have gone into BYOD policies and take a moment to evaluate how reasonable our rush to embrace this approach has been.
A Network Defender’s Guide to Credential Attacks
A look at common credential attacks on premise, in the cloud, and across the Internet with a goal of understanding how to prevent and detect them.
Do You Want to Build a Test Lab?
You can get free Microsoft licenses from here:
https://www.microsoft.com/en-us/evalcenter/
You can configure a test domain using the Config-LabSystem.ps1 script and the associated UserList.csv below
Additional Links
If you would like some recommendations for other sites to get great IT security information, click here.
Get the book
Applied Incident Response details effective ways to respond to advanced attacks against local and remote network resources, providing proven response techniques and a framework through which to apply them.